Secure APIs by using OAuth 2.0

This tutorial shows you how to implement OAuth 2.0 schemes that are available in IBM API Connect to secure an API.
IBM API Connect provides two implementation modes, each of which provide different OAuth 2.0 schemes:
Confidential mode. A Confidential mode is suitable when an application is capable of maintaining the secrecy of the client secret. Use confidential mode when an application is capable of maintaining the secrecy of the client secret. This is usually the case when an application runs in a browser and accesses its own server when obtaining OAuth access tokens. As such, these schemes make use of the client secret. In the Confidential mode, we have three OAuth schemes: Application, Password and Access code.

Public mode. A Public mode is suitable when an application is incapable of maintaining the secrecy of the client secret. This is usually the case when the application is native on a computer or mobile


Original URL: https://developer.ibm.com/tutorials/securing-apis-oauth2-api-connect/

Original article

Linux kernel RDS flaw affects Red Hat, Ubuntu, Debian and SUSE

If you’re not in the habit of keeping up to date with the latest version of the Linux kernel, now might be a good time to think about doing so. Systems based on versions of the kernel older than 5.0.8 suffer from a severe flaw in the implementation of RDS over TCP. Left unpatched, the flaw could enable an attacker to compromise a system. The National Vulnerability Database entry says: “There is a race condition leading to a use-after-free, related to net namespace cleanup”. Red Hat, Ubuntu, Debian and SUSE are all affected by the flaw, and security advisories have… [Continue Reading]


Original URL: https://betanews.com/2019/05/20/linux-kernel-rds-flaw/

Original article

GoDaddy Removes a Massive Network of Bogus Sales Sites

GoDaddy removed a cluster of more than 15,000 fraudulent websites discovered by a researcher at Palo Alto Networks’ Unit 42 analysis team. From a report: The scam, which sold products like weight loss pills, used breached websites to add legitimacy to its sales and involved using fake celebrity endorsements. Jeff White, the researcher at Unit 42, started researching the network of sites more than 2 years ago when he noticed spam messages that looked visually similar and used similar language. The products were sold on commission as part of an affiliate marketing program and used low initial pricing and tiny print to get people signed up for costly subscriptions. The sales took place on hacked GoDaddy websites, where hackers had set up subdomains on legitimate websites.

Read more of this story at Slashdot.


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BiTT0l3eJx8/godaddy-removes-a-massive-network-of-bogus-sales-sites

Original article

We found a massive spam operation — and sunk its server

For ten days in March, millions were caught in the same massive spam campaign.
Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent email with a link to a fake site pushing a weight loss pill or a bitcoin scam.
The emails were so convincing more than 100,000 people clicked through.
We know this because a security researcher found the server leaking the entire operation. The spammer had forgotten to set a password.
Security researcher Bob Diachenko found the leaking data and with help from TechCrunch analyzed the server. At the time of the discovery, the spammer’s rig was no longer running. It had done its job, and the spammer had likely moved onto another server — likely in an effort to


Original URL: http://feedproxy.google.com/~r/Techcrunch/~3/2Li40DMF3O4/

Original article

How to Install Memcached (Caching Server) on CentOS 7

Memcached is an open source distributed memory object caching program that allows us to improve and speed up the performance of dynamic web applications by caching data and objects in Memory. Memcached is also…
[[ This is a content summary only. Visit my website for full links, other content, and more! ]]


Original URL: http://feedproxy.google.com/~r/tecmint/~3/rK26-TXvfts/

Original article

Education and Science Giant Elsevier Left Users’ Passwords Exposed Online

The world’s largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. “The impacted users include people from universities and educational institutions from across the world,” reports Motherboard. “It’s not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.” From the report: “Most users are .edu [educational institute] accounts, either students or teachers,” Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. “They could be using the same password for their emails, iCloud, etc.” Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/3pCMJ3N5b_0/education-and-science-giant-elsevier-left-users-passwords-exposed-online

Original article

You Have Around 20 Minutes To Contain a Russian APT Attack

When a Russian nation-state actor attacks a government or a private organization, they have about 20 minutes to detect and contain the attack. From a report: New statistics published today by US cyber-security firm Crowdstrike ranked threat groups based on their “breakout time.” “Breakout time” refers to the time a hacker group takes from gaining initial access to a victim’s computer to moving laterally through its network. This includes the time the attacker spends scanning the local network and deploying exploits in order to escalate his access to other nearby computers.

[…] According to data gathered from 2018 hack investigations, CrowdStrike says Russian hackers (which the company calls internally “Bears”) have been the most prolific and efficient hacker groups last year, with an average breakout time of 18 minutes and 49 seconds.

Read more of this story at Slashdot.


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/3EPaLCl4BXk/you-have-around-20-minutes-to-contain-a-russian-apt-attack

Original article

Nest Secure Has an Unlisted, Disabled Microphone

An anonymous reader quotes a report from Android Authority: Owners of the Nest Secure alarm system have been able to use voice commands to control their home security through Google Assistant for a while now. However, to issue those commands, they needed a separate Google Assistant-powered device, like a smartphone or a Google Home smart speaker. The reason for this limitation has always seemed straightforward: according to the official tech specs, there’s no onboard microphone in the Nest Secure system. However, Google just informed us that it is right now rolling out Assistant functionality to all Nest Secure devices via a software update. That’s right: if you currently own a Nest Secure, you will be able to use it as a Google Home very soon. That means somewhere in the Nest Guard — the keypad base station of the Nest Secure — there might be a microphone we didn’t know


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/r8IeJvdqwwI/nest-secure-has-an-unlisted-disabled-microphone

Original article

A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts

A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.
The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens. These access tokens keep you logged in to the website on your phone and your computer without having to re-type your password every time or entering your two-factor authentication code.
But if stolen, most sites can’t differentiate between a token used by the account owner, or a hacker who stole the token.
Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the vulnerability and shared details with TechCrunch. He later tweeted details of the bug on Thursday.
In order to test the bug, Robert found 539 websites using


Original URL: http://feedproxy.google.com/~r/Techcrunch/~3/LR44OlbFhu8/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: